The War Z taken offline following hack that exposed user passwords

E-mail addresses, player data and other personal information also exposed.

The War Z, a first-person zombie shooter game with 600,000 players, has been taken offline after attackers gained access to e-mail addresses and password data used to play the game and log in to user forums.

The data exposed in the breach also included in-game character names, the IP addresses players used to access user forums and the game, and any other data contained in the forum or game databases, an advisory posted by game developer Hammerpoint Interactive warned. It said the game and forums will be unavailable while outside experts and investigators pinpoint the cause of the compromise. Payment information was not exposed because payments are processed by a third-party and not on TheWar Z systems.

"If you posted other information to the forum it is likely that such data was accessed as well," the advisory stated. "We do not collect the names or addresses of our gamers so that information was not impacted unless you posted it on the forum. We are investigating whether additional information may have been obtained." The notice warned that e-mail addresses used to register for the game were also obtained.

The advisory said the passwords were "encrypted," which most likely means they were passed through a one-way cryptographic hash algorithm that converts plaintext such as "password" into a theoretically unique string of characters such as "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8." The advisory didn't say what algorithm was used or if cryptographic "salt" was added, so without those details, the assurance about encryption is largely meaningless. As Ars documented last year, advances in password cracking can quickly ferret out all but the strongest of passwords unless website operators take pains to thwart those techniques. Chief among them is the use of bcrypt, scrypt, or other hash algorithms specifically designed to store passwords. SHA1, MD5 and most other algorithms should never be used to hash passwords.

Readers who had TheWar Z accounts should change their passwords immediately. Passcodes should be randomly generated and a minimum of 10 characters that include numbers, letters and symbols. They should also be unique. Readers who used their War Z password to log in to other sites should change their passcodes for those sites, as well.

Hammerpoint Interactive's advisory said that investigators have already "identified number of ways access was obtained and have enhanced our security to improve game and forum safety. We are undertaking a full review and update of our servers and the services we use and adding additional security mechanisms." The company is e-mailing customers to make sure everyone affected is aware of the breach. Hammerpoint reportedly claims that TheWar Z has 600,000 registered users and a daily player count of 150,000.

"This has been a humbling experience for us," the advisory stated. "While we all know that there is no guaranty of security on the Internet, our goal is to try our very best to protect your data. We sincerely apologize."

Developers said the game would be shuttered if it didn't have a sufficient number of players after 6 months.

If 600,000 players ain't a "sufficient number of players," something else is horribly, horribly wrong. That, to me, is the shocking part of the article, given the launch issues, and flies in the face of your theory and Apokos's comment, too. Most of the rest what happened is kind of business as usual in the modern era - you damn well should know at this point to use salt and hashes and all of that good stuff.

The only positive I really see in this is that the company's statement made proper use of the world "humbling", unlike most athletes and people who use it to describe winning a tournament, being loved by fans, or being picked first in the draft. /definitionnazi

Glad I'm not one of them. After all the recent revelations about hacked companies and bad encryption, it is hardly surprising they were another victim given their history (which I can't recall much of being positive).

The breach also comes a few weeks after researchers demonstrated vulnerabilities in EA's Origin game platform and the EA game Battlefield Play4free, where both weaknesses made it possible for attackers to remotely execute malicious code on some players' computers.

Not quite sure how that's even related to this story. Other than they are both video game related. The EA thing was a completely unrelated exploit (targeting users rather than the servers) and, AFAIK, no passwords where compromised.

I had no respect for anyone who gave money to Titov and the other cretins behind "The War Z," but now I just pity them. Still, it is truly satisfying to see that disgusting, money-grubbing ripoff of a "game" crash and burn.

Okay…. So… Probably not BUT to bring hope to fellow War Z players here is my theory!

Okay, so after going on a trip to thorpe park and having a 30 minute talk about Thorpe parks scheme to create a hype for ‘swarm’ with the manikins getting smashed and stuff when they actually didn’t but yeah it was just to get people talking about it because ‘Any press is good press’ as they say, so I have been thinking, what if War Z is doing the same?

Okay so lets say they have a MASSIVE update coming out (I can’t see much about their future updates so you never know) and they want to surprise everyone, so they may need servers to be down, but they create this whole story about getting hacked and shit (Again any press is good press right?) so this gets like every PC gamer talking about it! then when it comes back on there is a huge update with TONS of new shit!

Random idea but I really hope It would be true :’) So yeah there it is, you never know :L We can all hope :’)

We encrypt all passwords. However, there is a possibility that simple passwords can be obtained using brute force even if they are encrypted. Our research shows that many users are not using strong passwords.

Salted passwords shouldn't be capable of being brute forced, if salted properly. The idea being even 'password' in all the users password fields would result in different hashes, given sufficient entropy in the salt.

To me that part of the release reads "We used MD5"

Of course, depending on the severity of the hack it might be irrelevant, they could have lifted the code that handles the authentication revealing the salting method which means they'll be able to run a rainbow table against the users details, albeit they will have to generate 600k individual rainbow tables for each salt but it's heading well into the realms of breakable by this point. Whilst I know the cost of a rainbow table is mainly in its re-use, this still means passwords are exposed. Realistically it's going to take one hour to crack the first password with a known salt, though its going to be less since you won't generate the whole table but bail out once the result is known... though this could all be sped up on EC2.

Salting gives more window to protect your password from becoming available, but in the end if your salting method is wild it's a matter of time... and not as secure as some people might believe it is. For what it's worth, I use supergenpass to make specific passwords

We encrypt all passwords. However, there is a possibility that simple passwords can be obtained using brute force even if they are encrypted. Our research shows that many users are not using strong passwords.

Salted passwords shouldn't be capable of being brute forced, if salted properly. The idea being even 'password' in all the users password fields would result in different hashes, given sufficient entropy in the salt.

To me that part of the release reads "We used MD5"

Of course, depending on the severity of the hack it might be irrelevant, they could have lifted the code that handles the authentication revealing the salting method which means they'll be able to run a rainbow table against the users details, albeit they will have to generate 600k individual rainbow tables for each salt but it's heading well into the realms of breakable by this point. Whilst I know the cost of a rainbow table is mainly in its re-use, this still means passwords are exposed. Realistically it's going to take one hour to crack the first password with a known salt, though its going to be less since you won't generate the whole table but bail out once the result is known... though this could all be sped up on EC2.

Salting gives more window to protect your password from becoming available, but in the end if your salting method is wild it's a matter of time... and not as secure as some people might believe it is. For what it's worth, I use supergenpass to make specific passwords

Your understanding of salting is somewhat wrong. Saying a salted password can't be brute forced is totally, totally wrong. The benefit of salting a password is that it invalidates rainbow tables. Appending a random string to the same password will ensure that a different hash is generated when hashing the password. Nothing else. The salt is not meant to be 'secret' in any way like the password is. Leaving it unencrypted in the database is absolutely fine.

Also nobody in their right mind would make a rainbow table for a single password. Do you know how much storage space those things take up? They would simply iterate over all possible passwords comparing the result to the stolen hash, obviously appending the salt to their own iterations.

Saying its going to take an hour to crack the first password with a known salt is also completely false. The only way this is true is if you're using a very weak password 1-7 characters lowercase. Otherwise the same rules as a non-salted password apply when brute forcing. More characters = exponential cracking time, most things over 8 characters are not feasible to crack in a small amount of time.

Brute forcing a weak salt with a poor mechanism is obviously possible.

Quote:

They would simply iterate over all possible passwords comparing the result to the stolen hash, obviously appending the salt to their own iterations.

Right, that's basically what I said... barring the saving aspect. You'd have to take any result from the rainbow table, add it to the hashing function and append it to the result and compare... once for every password.

A basic rainbow table with even say the common 10,000 passwords and a known salt would start to reveal passwords. But that is still valuable to a hacker. Salting doesn't have to be secret, but it's slightly more secure if it is. It might be a layer of obscurity, but that might give a bit more time before passwords start becoming available. It's why I don't like seeing separate salt and password fields in databases. Another reason being if you as the hacker are unsure what part of the string you are looking at is the salt and the hash, its virtually impossible to start brute forcing as the extra presence of the salt in the string will make any brute force attempt unsuccessful.

Know the salt and start running tests on simple passwords which are simple to compute, and you can work out the entire method quickly.

Okay…. So… Probably not BUT to bring hope to fellow War Z players here is my theory!

Okay, so after going on a trip to thorpe park and having a 30 minute talk about Thorpe parks scheme to create a hype for ‘swarm’ with the manikins getting smashed and stuff when they actually didn’t but yeah it was just to get people talking about it because ‘Any press is good press’ as they say, so I have been thinking, what if War Z is doing the same?

Okay so lets say they have a MASSIVE update coming out (I can’t see much about their future updates so you never know) and they want to surprise everyone, so they may need servers to be down, but they create this whole story about getting hacked and shit (Again any press is good press right?) so this gets like every PC gamer talking about it! then when it comes back on there is a huge update with TONS of new shit!

Random idea but I really hope It would be true :’) So yeah there it is, you never know :L We can all hope :’)

My friends and I were checking out the War Z beta - one of us had bought an account and he was letting us try it on our computers. Before he let me use his ID/password to log in, I decided to try and log in with a dumb entry to see if the server would get me patched up while I waited. I used "test@test.com" as the e-mail address and "test" as the password. To my awe, I became logged in on a developer account after the patching process and had access to an inventory full of high-level items, and most likely some GM commands (if only I knew what they were!). The players began talking excitedly about a developer being logged on, but we just stayed silent, walked around, and laughed on Vent. I tried again a few hours later and the dev team had changed their password/email combination.

Have any you considered that maybe the 600.000 players playing The War Z are playing it because they're having fun?

So many people are in the negative reactionary choir: "I'm glad I didn't pay for this, and I'm double glad that there are other people who didn't pay for it who are here to reinforce me".

I agree, however, I don't think that's the connotation most people are behind. The game is an inherent mess. You can find many "sources" on why people believe it to be more of a scam. If you have more of a justice perspective this may all be considered speculation.

If anything, The War Z is a heavily unpolished game. If you enjoy philosophy, you could try to define polish, but if the above doesn't describe why people are frustrated, then that is how some enjoy the game. They accept or deny the pronounced problems. They conform to it's mediocrity (if that).

I can't explain how one can play a game where the developers largely make no stand on their promises, hackers dominate the playing field, bugs everywhere, and little polish (gameplay). But every game has it's fan base.